Accepting request 1133718 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1133718 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=66
This commit is contained in:
commit
c43bec7f6f
4
_service
4
_service
@ -2,10 +2,6 @@
|
|||||||
<service name="cargo_vendor" mode="manual">
|
<service name="cargo_vendor" mode="manual">
|
||||||
<param name="srctar">s390-tools-2.29.0.tar.gz</param>
|
<param name="srctar">s390-tools-2.29.0.tar.gz</param>
|
||||||
<param name="compression">zst</param>
|
<param name="compression">zst</param>
|
||||||
<param name="cargotoml">s390-tools/rust/pv/Cargo.toml</param>
|
|
||||||
<param name="cargotoml">s390-tools/rust/pv/openssl_extentions/Cargo.toml</param>
|
|
||||||
<param name="cargotoml">s390-tools/rust/utils/Cargo.toml</param>
|
|
||||||
<param name="cargotoml">s390-tools/rust/pvsecret/Cargo.toml</param>
|
|
||||||
<param name="update">true</param>
|
<param name="update">true</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="cargo_audit" mode="manual" />
|
<service name="cargo_audit" mode="manual" />
|
||||||
|
155
read_values.c
155
read_values.c
@ -1,7 +1,7 @@
|
|||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Copyright (C) 2014-2015, 2019-2023 SUSE LLC */
|
/* Copyright (C) 2014-2015, 2019-2023 SUSE LLC */
|
||||||
/* */
|
/* */
|
||||||
/* All rights reserved.
|
/* All rights reserved.
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||||
@ -37,9 +37,9 @@ enum datatypes {
|
|||||||
#define WITHOUT_KEY 0
|
#define WITHOUT_KEY 0
|
||||||
#define WITH_KEY 1
|
#define WITH_KEY 1
|
||||||
|
|
||||||
static char *versionstring = "Version 1.0.3 2023-02-16 17:00";
|
static char *versionstring = "Version 1.0.4 2023-12-17 06:58";
|
||||||
|
|
||||||
static char *version = "1.0.3";
|
static char *version = "1.0.4";
|
||||||
|
|
||||||
void *configuration_handle = NULL;
|
void *configuration_handle = NULL;
|
||||||
int layers = -1;
|
int layers = -1;
|
||||||
@ -85,18 +85,18 @@ struct machinetype {
|
|||||||
int debug = 0;
|
int debug = 0;
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Print the program version */
|
/* Print the program version */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void print_version()
|
void print_version()
|
||||||
{
|
{
|
||||||
printf("Version: %s\n", version);
|
printf("Version: %s\n", version);
|
||||||
}
|
}
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Look for one attribute and print it */
|
/* Look for one attribute and print it */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void print_attribute(char *user_string, int level, enum qc_attr_id attribute, enum datatypes type, int print_key)
|
void print_attribute(char *user_string, int level, enum qc_attr_id attribute, enum datatypes type, int print_key)
|
||||||
{
|
{
|
||||||
@ -121,7 +121,7 @@ float result_float = 0.0;
|
|||||||
}
|
}
|
||||||
if (erg == 1) {
|
if (erg == 1) {
|
||||||
if (print_key == WITH_KEY) {
|
if (print_key == WITH_KEY) {
|
||||||
printf("%s: ",(user_string == NULL? "NULL": user_string));
|
printf("%s : ",(user_string == NULL? "NULL": user_string));
|
||||||
} /* endif */
|
} /* endif */
|
||||||
switch (type)
|
switch (type)
|
||||||
{
|
{
|
||||||
@ -139,15 +139,22 @@ float result_float = 0.0;
|
|||||||
}
|
}
|
||||||
} /* endif */
|
} /* endif */
|
||||||
else {
|
else {
|
||||||
printf("Error: erg = %d, result_string = %s \n", erg, (result_string == NULL? "NULL": result_string));
|
if ( erg == 0 ) {
|
||||||
|
/* printf("%s : Attribute exists, but is not set. \n", (user_string == NULL? "NULL": user_string)); */
|
||||||
|
} /* endif */
|
||||||
|
else if ( erg < 0) {
|
||||||
|
printf("%s: An error occurred retrieving the attribute. Error: erg = %d, result_string = %s \n", user_string, erg, (result_string == NULL? "NULL": result_string));
|
||||||
|
} /* end else if */
|
||||||
|
/* */
|
||||||
/* TODO qc_get_attribute_string returned error */
|
/* TODO qc_get_attribute_string returned error */
|
||||||
|
/* */
|
||||||
}
|
}
|
||||||
} /* print_attribute */
|
} /* print_attribute */
|
||||||
|
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Open the lib and get the handle */
|
/* Open the lib and get the handle */
|
||||||
/* */
|
/* */
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
int read_sysinfo()
|
int read_sysinfo()
|
||||||
{
|
{
|
||||||
@ -175,10 +182,10 @@ int return_code;
|
|||||||
} /* read_sysinfo */
|
} /* read_sysinfo */
|
||||||
|
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Look at the type of machine we're running on and print out a user */
|
/* Look at the type of machine we're running on and print out a user */
|
||||||
/* friendly string */
|
/* friendly string */
|
||||||
/* */
|
/* */
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
void print_cputype()
|
void print_cputype()
|
||||||
{
|
{
|
||||||
@ -217,26 +224,26 @@ Please file a bug report with this output:\n" , cpu_type);
|
|||||||
} /* print_cputype */
|
} /* print_cputype */
|
||||||
|
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Print out the values for SCC */
|
/* Print out the values for SCC */
|
||||||
/* */
|
/* */
|
||||||
/* To uniquely identify a machine the following information is used: */
|
/* To uniquely identify a machine the following information is used: */
|
||||||
/* */
|
/* */
|
||||||
/* Type */
|
/* Type */
|
||||||
/* Sequence code */
|
/* Sequence code */
|
||||||
/* CPUs total */
|
/* CPUs total */
|
||||||
/* CPUs IFL */
|
/* CPUs IFL */
|
||||||
/* LPAR Number */
|
/* LPAR Number */
|
||||||
/* LPAR Characteristics: */
|
/* LPAR Characteristics: */
|
||||||
/* LPAR CPUs */
|
/* LPAR CPUs */
|
||||||
/* LPAR IFLs */
|
/* LPAR IFLs */
|
||||||
/* */
|
/* */
|
||||||
/* Optional: */
|
/* Optional: */
|
||||||
/* */
|
/* */
|
||||||
/* VM00 Name */
|
/* VM00 Name */
|
||||||
/* VM00 Control Programm */
|
/* VM00 Control Programm */
|
||||||
/* VM00 CPUs */
|
/* VM00 CPUs */
|
||||||
/* */
|
/* */
|
||||||
/********************************************************************************/
|
/********************************************************************************/
|
||||||
void print_scc()
|
void print_scc()
|
||||||
{
|
{
|
||||||
@ -288,18 +295,18 @@ int check_model (const char *cpu) {
|
|||||||
|
|
||||||
for ( i = 0; i < models; i++) {
|
for ( i = 0; i < models; i++) {
|
||||||
|
|
||||||
if ( !strcmp(cpu,types[i]) ) {
|
if ( !strcmp(cpu,types[i]) ) {
|
||||||
return 1;
|
return 1;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
} /* check_model */
|
} /* check_model */
|
||||||
|
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* print out whether secure boot is enabled */
|
/* print out whether secure boot is enabled */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void print_secure_mode()
|
void print_secure_mode()
|
||||||
{
|
{
|
||||||
@ -308,6 +315,9 @@ int release_major;
|
|||||||
int release_sub;
|
int release_sub;
|
||||||
int release_minor;
|
int release_minor;
|
||||||
const char *cpu_type = NULL;
|
const char *cpu_type = NULL;
|
||||||
|
int cpu_okay = 0;
|
||||||
|
int Layer = 0;
|
||||||
|
int i = 0;
|
||||||
/*
|
/*
|
||||||
* First we have to check whether we have the appropriate kernel Level (>= 5.3)
|
* First we have to check whether we have the appropriate kernel Level (>= 5.3)
|
||||||
*/
|
*/
|
||||||
@ -346,35 +356,40 @@ struct utsname uts;
|
|||||||
printf("Print_secure called\n");
|
printf("Print_secure called\n");
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
* Only the following machines support secure boot: z14, z14 ZR1, z15, z16
|
* Only the following machines support secure boot:
|
||||||
|
* z14, z15, z16
|
||||||
* 3906, 3907, 8561, 8562, 3931, 3932
|
* 3906, 3907, 8561, 8562, 3931, 3932
|
||||||
*/
|
*/
|
||||||
erg = qc_get_attribute_string(configuration_handle, qc_type, 0, &cpu_type);
|
erg = qc_get_attribute_string(configuration_handle, qc_type, 0, &cpu_type);
|
||||||
if (erg == 1 && cpu_type != NULL) {
|
if (erg == 1 && cpu_type != NULL) {
|
||||||
|
cpu_okay = check_model(cpu_type);
|
||||||
if ( !check_model(cpu_type) ) {
|
if ( cpu_okay == 0 ) {
|
||||||
goto return_does_not_exist;
|
goto return_does_not_exist;
|
||||||
} /* endif */
|
} /* endif */
|
||||||
} /* endif */
|
} /* endif */
|
||||||
print_attribute("Secure mode on", 1, qc_has_secure, integer, WITH_KEY);
|
|
||||||
print_attribute("Secure mode used", 1, qc_secure, integer, WITH_KEY);
|
for ( i = 0; i < 8; i++) {
|
||||||
|
erg = qc_get_attribute_int(configuration_handle, qc_layer_type_num, i, &Layer);
|
||||||
|
if (erg == 1) {
|
||||||
|
print_attribute("Secure mode on ", i, qc_has_secure, integer, WITH_KEY);
|
||||||
|
print_attribute("Secure mode used", i, qc_secure, integer, WITH_KEY);
|
||||||
|
} /* endif */
|
||||||
|
} /* endfor */
|
||||||
return;
|
return;
|
||||||
|
|
||||||
return_does_not_exist:
|
return_does_not_exist:
|
||||||
/*
|
/*
|
||||||
* Software or hardware does not support secure boot.
|
* Software or hardware does not support secure boot.
|
||||||
*/
|
*/
|
||||||
puts("Secure mode on: 0\nSecure mode used: 0");
|
puts("Secure mode on : 0\nSecure mode used : 0");
|
||||||
return;
|
return;
|
||||||
} /* print_secure_mode */
|
} /* print_secure_mode */
|
||||||
|
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* print out the uuid for this machine */
|
/* print out the uuid for this machine */
|
||||||
/* */
|
/* */
|
||||||
/* */
|
|
||||||
/* */
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
int print_uuid()
|
int print_uuid()
|
||||||
{
|
{
|
||||||
@ -417,9 +432,9 @@ int print_uuid()
|
|||||||
} /* print_uuid */
|
} /* print_uuid */
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* print out the list of valid / found symbols */
|
/* print out the list of valid / found symbols */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void list(char * list_attribute_param)
|
void list(char * list_attribute_param)
|
||||||
{
|
{
|
||||||
@ -427,9 +442,9 @@ return;
|
|||||||
} /* list */
|
} /* list */
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* print out the requested attribute */
|
/* print out the requested attribute */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void print_user_attribute(char *key, char *attribute_param, int layer)
|
void print_user_attribute(char *key, char *attribute_param, int layer)
|
||||||
{
|
{
|
||||||
@ -438,9 +453,9 @@ return;
|
|||||||
|
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Help Function */
|
/* Help Function */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
void help()
|
void help()
|
||||||
{
|
{
|
||||||
@ -470,9 +485,9 @@ Valid values for debug:\n\
|
|||||||
} /* help */
|
} /* help */
|
||||||
|
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* Main */
|
/* Main */
|
||||||
/* */
|
/* */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
int main(int argc, char **argv, char **envp)
|
int main(int argc, char **argv, char **envp)
|
||||||
{
|
{
|
||||||
@ -569,7 +584,7 @@ void *configuration_handle_tmp = NULL;
|
|||||||
fputs("Only one of the options a, c, L, s, S or u can be specified.\n",stderr);
|
fputs("Only one of the options a, c, L, s, S or u can be specified.\n",stderr);
|
||||||
return 1;
|
return 1;
|
||||||
} /* endif */
|
} /* endif */
|
||||||
/* still not im[plemented thatfore set to zero */
|
/* still not implemented thatfore set to zero */
|
||||||
list_attr = print_attr = 0;
|
list_attr = print_attr = 0;
|
||||||
if (print_attr != 0) {
|
if (print_attr != 0) {
|
||||||
print_user_attribute(NULL, print_attribute_param, layers);
|
print_user_attribute(NULL, print_attribute_param, layers);
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:849ff400dc6c1eb7eebe4aa3e7a4871721c25bcee6cfdd0535a056a038fd3ab0
|
|
||||||
size 1950182
|
|
BIN
s390-tools-2.30.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
s390-tools-2.30.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -5,10 +5,10 @@
|
|||||||
zdev/dracut/Makefile | 15 ++++++++++--
|
zdev/dracut/Makefile | 15 ++++++++++--
|
||||||
4 files changed, 92 insertions(+), 2 deletions(-)
|
4 files changed, 92 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
|
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
|
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
|
||||||
@@ -0,0 +1,32 @@
|
@@ -0,0 +1,32 @@
|
||||||
+#!/bin/bash
|
+#!/bin/bash
|
||||||
+
|
+
|
||||||
@ -42,10 +42,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
|
|||||||
+ inst_hook cleanup 41 "$moddir/write-udev-live.sh"
|
+ inst_hook cleanup 41 "$moddir/write-udev-live.sh"
|
||||||
+ inst_multiple chzdev
|
+ inst_multiple chzdev
|
||||||
+}
|
+}
|
||||||
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
|
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
|
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
|
||||||
@@ -0,0 +1,36 @@
|
@@ -0,0 +1,36 @@
|
||||||
+#!/bin/bash
|
+#!/bin/bash
|
||||||
+#
|
+#
|
||||||
@ -83,10 +83,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
|
|||||||
+ fi
|
+ fi
|
||||||
+done
|
+done
|
||||||
+
|
+
|
||||||
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
|
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
|
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
|
||||||
@@ -0,0 +1,11 @@
|
@@ -0,0 +1,11 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+#
|
+#
|
||||||
@ -99,10 +99,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
|
|||||||
+if [ -w /sysroot/etc/udev/rules.d ]; then
|
+if [ -w /sysroot/etc/udev/rules.d ]; then
|
||||||
+ cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d
|
+ cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d
|
||||||
+fi
|
+fi
|
||||||
Index: s390-tools-2.29.0/zdev/dracut/Makefile
|
Index: s390-tools-2.30.0/zdev/dracut/Makefile
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/zdev/dracut/Makefile
|
--- s390-tools-2.30.0.orig/zdev/dracut/Makefile
|
||||||
+++ s390-tools-2.29.0/zdev/dracut/Makefile
|
+++ s390-tools-2.30.0/zdev/dracut/Makefile
|
||||||
@@ -3,17 +3,23 @@ include ../../common.mak
|
@@ -3,17 +3,23 @@ include ../../common.mak
|
||||||
|
|
||||||
ZDEVDIR := 95zdev
|
ZDEVDIR := 95zdev
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
|
Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules
|
--- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
|
||||||
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
|
+++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
|
||||||
@@ -15,7 +15,7 @@ KERNEL=="dasd*[!0-9]", ENV{ID_XUID}=="?*
|
@@ -15,7 +15,7 @@ KERNEL=="dasd*[!0-9]", ENV{ID_XUID}=="?*
|
||||||
|
|
||||||
LABEL="dasd_block_end"
|
LABEL="dasd_block_end"
|
||||||
|
@ -15,10 +15,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
|
|||||||
fdasd/fdasd.c | 13 ++++++++-----
|
fdasd/fdasd.c | 13 ++++++++-----
|
||||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/fdasd/fdasd.c
|
Index: s390-tools-2.30.0/fdasd/fdasd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/fdasd/fdasd.c
|
--- s390-tools-2.30.0.orig/fdasd/fdasd.c
|
||||||
+++ s390-tools-2.29.0/fdasd/fdasd.c
|
+++ s390-tools-2.30.0/fdasd/fdasd.c
|
||||||
@@ -1231,10 +1231,12 @@ static int fdasd_get_volser(fdasd_anchor
|
@@ -1231,10 +1231,12 @@ static int fdasd_get_volser(fdasd_anchor
|
||||||
*/
|
*/
|
||||||
static void fdasd_reread_partition_table(fdasd_anchor_t *anc)
|
static void fdasd_reread_partition_table(fdasd_anchor_t *anc)
|
||||||
|
@ -13,10 +13,10 @@ Signed-off-by: Robert Milasan <rmilasan@suse.de>
|
|||||||
etc/udev/rules.d/59-dasd.rules | 2 +-
|
etc/udev/rules.d/59-dasd.rules | 2 +-
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
|
Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules
|
--- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
|
||||||
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
|
+++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
|
||||||
@@ -6,7 +6,7 @@
|
@@ -6,7 +6,7 @@
|
||||||
SUBSYSTEM!="block", GOTO="dasd_symlinks_end"
|
SUBSYSTEM!="block", GOTO="dasd_symlinks_end"
|
||||||
KERNEL!="dasd*", GOTO="dasd_symlinks_end"
|
KERNEL!="dasd*", GOTO="dasd_symlinks_end"
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Index: s390-tools-2.29.0/zipl/boot/menu.c
|
Index: s390-tools-2.30.0/zipl/boot/menu.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/zipl/boot/menu.c
|
--- s390-tools-2.30.0.orig/zipl/boot/menu.c
|
||||||
+++ s390-tools-2.29.0/zipl/boot/menu.c
|
+++ s390-tools-2.30.0/zipl/boot/menu.c
|
||||||
@@ -168,8 +168,11 @@ int menu(void)
|
@@ -168,8 +168,11 @@ int menu(void)
|
||||||
/* print config list */
|
/* print config list */
|
||||||
menu_list();
|
menu_list();
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Index: s390-tools-2.29.0/etc/sysconfig/dumpconf
|
Index: s390-tools-2.30.0/etc/sysconfig/dumpconf
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/etc/sysconfig/dumpconf
|
--- s390-tools-2.30.0.orig/etc/sysconfig/dumpconf
|
||||||
+++ s390-tools-2.29.0/etc/sysconfig/dumpconf
|
+++ s390-tools-2.30.0/etc/sysconfig/dumpconf
|
||||||
@@ -1,71 +1,137 @@
|
@@ -1,71 +1,137 @@
|
||||||
+## Path: System/Dumpconf
|
+## Path: System/Dumpconf
|
||||||
+## Description: Configures the actions which should be performed after a kernel panic
|
+## Description: Configures the actions which should be performed after a kernel panic
|
||||||
|
@ -35,10 +35,10 @@ Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
|
|||||||
zdev/src/zdev-root-update.dracut | 6 ------
|
zdev/src/zdev-root-update.dracut | 6 ------
|
||||||
1 file changed, 6 deletions(-)
|
1 file changed, 6 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/zdev/src/zdev-root-update.dracut
|
Index: s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/zdev/src/zdev-root-update.dracut
|
--- s390-tools-2.30.0.orig/zdev/src/zdev-root-update.dracut
|
||||||
+++ s390-tools-2.29.0/zdev/src/zdev-root-update.dracut
|
+++ s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
|
||||||
@@ -20,10 +20,4 @@ dracut -f || {
|
@@ -20,10 +20,4 @@ dracut -f || {
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
@ -11,10 +11,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
|
|||||||
dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------
|
dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------
|
||||||
2 files changed, 100 insertions(+), 80 deletions(-)
|
2 files changed, 100 insertions(+), 80 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis
|
@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis
|
||||||
.br
|
.br
|
||||||
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
|
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
|
||||||
@ -33,10 +33,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
|||||||
.br
|
.br
|
||||||
|
|
||||||
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
|
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
@@ -25,6 +25,8 @@
|
@@ -25,6 +25,8 @@
|
||||||
|
|
||||||
#include "dasdfmt.h"
|
#include "dasdfmt.h"
|
||||||
|
@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
|
|||||||
dasdfmt/dasdfmt.h | 1 +
|
dasdfmt/dasdfmt.h | 1 +
|
||||||
3 files changed, 58 insertions(+), 9 deletions(-)
|
3 files changed, 58 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
@@ -7,7 +7,7 @@
|
@@ -7,7 +7,7 @@
|
||||||
dasdfmt \- formatting of DASD (ECKD) disk drives.
|
dasdfmt \- formatting of DASD (ECKD) disk drives.
|
||||||
|
|
||||||
@ -53,10 +53,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
|||||||
\fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR
|
\fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR
|
||||||
Specify the volume serial number or volume identifier to be written
|
Specify the volume serial number or volume identifier to be written
|
||||||
to disk after formatting. If no label is specified, a sensible default
|
to disk after formatting. If no label is specified, a sensible default
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
@@ -13,6 +13,7 @@
|
@@ -13,6 +13,7 @@
|
||||||
#include <sys/sysmacros.h>
|
#include <sys/sysmacros.h>
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
|
@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
|
|||||||
dasdfmt/dasdfmt.h | 1 +
|
dasdfmt/dasdfmt.h | 1 +
|
||||||
3 files changed, 27 insertions(+), 8 deletions(-)
|
3 files changed, 27 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
@@ -7,7 +7,7 @@
|
@@ -7,7 +7,7 @@
|
||||||
dasdfmt \- formatting of DASD (ECKD) disk drives.
|
dasdfmt \- formatting of DASD (ECKD) disk drives.
|
||||||
|
|
||||||
@ -37,10 +37,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
|||||||
\fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR
|
\fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR
|
||||||
Specify the \fImode\fR to be used to format the device. Valid modes are:
|
Specify the \fImode\fR to be used to format the device. Valid modes are:
|
||||||
.RS
|
.RS
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
@@ -83,6 +83,7 @@ static struct dasdfmt_globals {
|
@@ -83,6 +83,7 @@ static struct dasdfmt_globals {
|
||||||
int ese;
|
int ese;
|
||||||
int no_discard;
|
int no_discard;
|
||||||
|
@ -13,10 +13,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
|
|||||||
dasdfmt/dasdfmt.c | 8 ++++++++
|
dasdfmt/dasdfmt.c | 8 ++++++++
|
||||||
2 files changed, 13 insertions(+), 1 deletion(-)
|
2 files changed, 13 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
|
||||||
@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis
|
@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis
|
||||||
.br
|
.br
|
||||||
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
|
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
|
||||||
@ -37,10 +37,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
|
|||||||
\fB-y\fR
|
\fB-y\fR
|
||||||
Start formatting without further user-confirmation.
|
Start formatting without further user-confirmation.
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = {
|
@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = {
|
||||||
.desc = "Format devices in parallel",
|
.desc = "Format devices in parallel",
|
||||||
.flags = UTIL_OPT_FLAG_NOLONG,
|
.flags = UTIL_OPT_FLAG_NOLONG,
|
||||||
|
@ -19,10 +19,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
|
|||||||
dasdfmt/dasdfmt.c | 21 ++++++++++++++++++---
|
dasdfmt/dasdfmt.c | 21 ++++++++++++++++++---
|
||||||
1 file changed, 18 insertions(+), 3 deletions(-)
|
1 file changed, 18 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
|
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
|
||||||
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
|
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
|
||||||
@@ -621,7 +621,7 @@ static void check_layout(unsigned int in
|
@@ -621,7 +621,7 @@ static void check_layout(unsigned int in
|
||||||
*/
|
*/
|
||||||
static void check_disk(void)
|
static void check_disk(void)
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Index: s390-tools-2.29.0/common.mak
|
Index: s390-tools-2.30.0/common.mak
|
||||||
===================================================================
|
===================================================================
|
||||||
--- s390-tools-2.29.0.orig/common.mak
|
--- s390-tools-2.30.0.orig/common.mak
|
||||||
+++ s390-tools-2.29.0/common.mak
|
+++ s390-tools-2.30.0/common.mak
|
||||||
@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \
|
@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \
|
||||||
LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS
|
LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS
|
||||||
|
|
||||||
|
@ -1,691 +0,0 @@
|
|||||||
---
|
|
||||||
zkey/ep11.c | 48 +++++++++++-----
|
|
||||||
zkey/keystore.c | 4 +
|
|
||||||
zkey/kmip/zkey-kmip.c | 74 +++++++++++++++++++++----
|
|
||||||
zkey/kms.c | 9 ++-
|
|
||||||
zkey/pkey.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++--
|
|
||||||
zkey/pkey.h | 45 +++++++++++----
|
|
||||||
zkey/zkey-cryptsetup.c | 15 ++++-
|
|
||||||
zkey/zkey.c | 8 ++
|
|
||||||
8 files changed, 294 insertions(+), 50 deletions(-)
|
|
||||||
|
|
||||||
--- a/zkey/ep11.c
|
|
||||||
+++ b/zkey/ep11.c
|
|
||||||
@@ -365,8 +365,9 @@ int select_ep11_apqn_by_mkvp(struct ep11
|
|
||||||
* @param[in] target the target handle to use for the re-encipher operation
|
|
||||||
* @param[in] card the card that corresponds to the target handle
|
|
||||||
* @param[in] domain the domain that corresponds to the target handle
|
|
||||||
- * @param[in/out] ep11key the EP11 key token to reencipher. The re-enciphered
|
|
||||||
- * secure key will be returned in this buffer.
|
|
||||||
+ * @param[in/out] ep11key_blob the EP11 key token to reencipher. The
|
|
||||||
+ * re-enciphered secure key will be returned in this
|
|
||||||
+ * buffer.
|
|
||||||
* @param[in] ep11key_size the size of the secure key
|
|
||||||
* @param[in] verbose if true, verbose messages are printed
|
|
||||||
*
|
|
||||||
@@ -374,21 +375,29 @@ int select_ep11_apqn_by_mkvp(struct ep11
|
|
||||||
*/
|
|
||||||
static int ep11_adm_reencrypt(struct ep11_lib *ep11, target_t target,
|
|
||||||
unsigned int card, unsigned int domain,
|
|
||||||
- struct ep11keytoken *ep11key,
|
|
||||||
+ u8 *ep11key_blob,
|
|
||||||
unsigned int ep11key_size, bool verbose)
|
|
||||||
{
|
|
||||||
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)ep11key_blob;
|
|
||||||
+ struct ep11keytoken *ep11key;
|
|
||||||
CK_BYTE resp[MAX_BLOBSIZE];
|
|
||||||
CK_BYTE req[MAX_BLOBSIZE];
|
|
||||||
- char ep11_token_header[sizeof(ep11key->head)];
|
|
||||||
+ char ep11_token_header[sizeof(ep11key->head)] = { 0 };
|
|
||||||
struct XCPadmresp lrb;
|
|
||||||
struct XCPadmresp rb;
|
|
||||||
+ bool with_header;
|
|
||||||
size_t resp_len;
|
|
||||||
size_t blob_len;
|
|
||||||
long req_len;
|
|
||||||
CK_RV rv;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- blob_len = ep11key->head.length;
|
|
||||||
+ with_header = is_ep11_aes_key_with_header(ep11key_blob, ep11key_size);
|
|
||||||
+ ep11key = (struct ep11keytoken *)(with_header ?
|
|
||||||
+ ep11key_blob + sizeof(struct ep11kblob_header) :
|
|
||||||
+ ep11key_blob);
|
|
||||||
+ blob_len = with_header ? hdr->len - sizeof(struct ep11kblob_header) :
|
|
||||||
+ ep11key->head.len;
|
|
||||||
if (blob_len > ep11key_size) {
|
|
||||||
pr_verbose(verbose, "Blob length larger than secure key size");
|
|
||||||
return -EINVAL;
|
|
||||||
@@ -397,9 +406,14 @@ static int ep11_adm_reencrypt(struct ep1
|
|
||||||
rb.domain = domain;
|
|
||||||
lrb.domain = domain;
|
|
||||||
|
|
||||||
- /* The token header is an overlay over the (all zero) session field */
|
|
||||||
- memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
|
|
||||||
- memset(ep11key->session, 0, sizeof(ep11key->session));
|
|
||||||
+ if (!with_header) {
|
|
||||||
+ /*
|
|
||||||
+ * The token header is an overlay over the (all zero) session
|
|
||||||
+ * field
|
|
||||||
+ */
|
|
||||||
+ memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
|
|
||||||
+ memset(ep11key->session, 0, sizeof(ep11key->session));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
resp_len = sizeof(resp);
|
|
||||||
req_len = ep11->dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
|
|
||||||
@@ -446,7 +460,8 @@ static int ep11_adm_reencrypt(struct ep1
|
|
||||||
}
|
|
||||||
|
|
||||||
memcpy(ep11key, lrb.payload, blob_len);
|
|
||||||
- memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
|
|
||||||
+ if (!with_header)
|
|
||||||
+ memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -469,7 +484,6 @@ int reencipher_ep11_key(struct ep11_lib
|
|
||||||
unsigned int card, unsigned int domain, u8 *secure_key,
|
|
||||||
unsigned int secure_key_size, bool verbose)
|
|
||||||
{
|
|
||||||
- struct ep11keytoken *ep11key = (struct ep11keytoken *)secure_key;
|
|
||||||
CK_IBM_DOMAIN_INFO dinf;
|
|
||||||
CK_ULONG dinf_len = sizeof(dinf);
|
|
||||||
CK_RV rv;
|
|
||||||
@@ -493,17 +507,21 @@ int reencipher_ep11_key(struct ep11_lib
|
|
||||||
return -ENODEV;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
|
|
||||||
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
|
|
||||||
secure_key_size, verbose);
|
|
||||||
if (rc != 0)
|
|
||||||
return rc;
|
|
||||||
|
|
||||||
if (is_xts_key(secure_key, secure_key_size)) {
|
|
||||||
- secure_key += EP11_KEY_SIZE;
|
|
||||||
- secure_key_size -= EP11_KEY_SIZE;
|
|
||||||
- ep11key = (struct ep11keytoken *)secure_key;
|
|
||||||
+ if (is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
|
|
||||||
+ secure_key += EP11_AES_KEY_SIZE;
|
|
||||||
+ secure_key_size -= EP11_AES_KEY_SIZE;
|
|
||||||
+ } else {
|
|
||||||
+ secure_key += EP11_KEY_SIZE;
|
|
||||||
+ secure_key_size -= EP11_KEY_SIZE;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
|
|
||||||
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
|
|
||||||
secure_key_size, verbose);
|
|
||||||
if (rc != 0)
|
|
||||||
return rc;
|
|
||||||
--- a/zkey/keystore.c
|
|
||||||
+++ b/zkey/keystore.c
|
|
||||||
@@ -3398,7 +3398,9 @@ static int _keystore_perform_reencipher(
|
|
||||||
"CURRENT master key", name);
|
|
||||||
if (!selected &&
|
|
||||||
!is_ep11_aes_key(secure_key,
|
|
||||||
- secure_key_size))
|
|
||||||
+ secure_key_size) &&
|
|
||||||
+ !is_ep11_aes_key_with_header(secure_key,
|
|
||||||
+ secure_key_size))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES key");
|
|
||||||
}
|
|
||||||
--- a/zkey/kmip/zkey-kmip.c
|
|
||||||
+++ b/zkey/kmip/zkey-kmip.c
|
|
||||||
@@ -5278,9 +5278,11 @@ static int _ep11_unwrap_key_rsa(struct p
|
|
||||||
m_UnwrapKey_t dll_m_UnwrapKey;
|
|
||||||
const unsigned char *key_blob;
|
|
||||||
struct ep11keytoken *ep11key;
|
|
||||||
+ struct ep11kblob_header *hdr;
|
|
||||||
CK_MECHANISM mech = { 0 };
|
|
||||||
CK_BYTE csum[7] = { 0 };
|
|
||||||
CK_BBOOL ck_true = true;
|
|
||||||
+ int pkey_fd, rc;
|
|
||||||
CK_RV rv;
|
|
||||||
|
|
||||||
CK_ATTRIBUTE template[] = {
|
|
||||||
@@ -5306,7 +5308,8 @@ static int _ep11_unwrap_key_rsa(struct p
|
|
||||||
pr_verbose(&ph->pd, "Wrap hashing algorithm: %d",
|
|
||||||
ph->profile->wrap_hashing_algo);
|
|
||||||
|
|
||||||
- if (*unwrapped_key_len < sizeof(struct ep11keytoken)) {
|
|
||||||
+ if (*unwrapped_key_len < sizeof(struct ep11kblob_header) +
|
|
||||||
+ sizeof(struct ep11keytoken)) {
|
|
||||||
_set_error(ph, "Key buffer is too small");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
@@ -5381,19 +5384,68 @@ static int _ep11_unwrap_key_rsa(struct p
|
|
||||||
256 * 256 * csum[csum_len - 3] +
|
|
||||||
256 * 256 * 256 * csum[csum_len - 4];
|
|
||||||
|
|
||||||
- /* Setup the EP11 token header */
|
|
||||||
- ep11key = (struct ep11keytoken *)unwrapped_key;
|
|
||||||
- memset(&ep11key->session, 0, sizeof(ep11key->session));
|
|
||||||
- ep11key->head.type = TOKEN_TYPE_NON_CCA;
|
|
||||||
- ep11key->head.length = *unwrapped_key_len;
|
|
||||||
- ep11key->head.version = TOKEN_VERSION_EP11_AES;
|
|
||||||
- ep11key->head.keybitlen = bit_len;
|
|
||||||
+ /* Prepend and setup the EP11 token header */
|
|
||||||
+ hdr = (struct ep11kblob_header *)unwrapped_key;
|
|
||||||
+ ep11key = (struct ep11keytoken *)
|
|
||||||
+ (unwrapped_key + sizeof(struct ep11kblob_header));
|
|
||||||
+ memmove(ep11key, unwrapped_key, *unwrapped_key_len);
|
|
||||||
+ *unwrapped_key_len += sizeof(struct ep11kblob_header);
|
|
||||||
+ memset(hdr, 0, sizeof(struct ep11kblob_header));
|
|
||||||
+ hdr->type = TOKEN_TYPE_NON_CCA;
|
|
||||||
+ hdr->hver = 0;
|
|
||||||
+ hdr->len = *unwrapped_key_len;
|
|
||||||
+ hdr->version = TOKEN_VERSION_EP11_AES_WITH_HEADER;
|
|
||||||
+ hdr->bitlen = bit_len;
|
|
||||||
|
|
||||||
- pr_verbose(&ph->pd, "unwrapped bit length: %u",
|
|
||||||
- ep11key->head.keybitlen);
|
|
||||||
+ pr_verbose(&ph->pd, "unwrapped bit length: %u", hdr->bitlen);
|
|
||||||
|
|
||||||
/* return full length, blob is already zero padded */
|
|
||||||
- *unwrapped_key_len = sizeof(struct ep11keytoken);
|
|
||||||
+ *unwrapped_key_len =
|
|
||||||
+ sizeof(struct ep11kblob_header) + sizeof(struct ep11keytoken);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Check if the pkey module supports keys of type
|
|
||||||
+ * TOKEN_VERSION_EP11_AES_WITH_HEADER, older kernels may not support
|
|
||||||
+ * such keys. If it does not support such keys, convert the key to
|
|
||||||
+ * TOKEN_VERSION_EP11_AES type, if its session field is all zero
|
|
||||||
+ * (i.e. the key is not session bound).
|
|
||||||
+ */
|
|
||||||
+ pkey_fd = open_pkey_device(ph->pd.verbose);
|
|
||||||
+ if (pkey_fd < 0) {
|
|
||||||
+ _set_error(ph, "Failed to open pkey device");
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = validate_secure_key(pkey_fd, unwrapped_key, *unwrapped_key_len,
|
|
||||||
+ NULL, NULL, NULL, ph->pd.verbose);
|
|
||||||
+ close(pkey_fd);
|
|
||||||
+ if (rc == -EINVAL || rc == -ENODEV) {
|
|
||||||
+ pr_verbose(&ph->pd, "The pkey kernel module does not support "
|
|
||||||
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
|
|
||||||
+
|
|
||||||
+ if (is_ep11_key_session_bound(unwrapped_key,
|
|
||||||
+ *unwrapped_key_len)) {
|
|
||||||
+ _set_error(ph, "The unwrapped key is session bound. "
|
|
||||||
+ "Kernel support is required for such keys");
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key_blob_len = hdr->len;
|
|
||||||
+ *unwrapped_key_len -= sizeof(struct ep11kblob_header);
|
|
||||||
+ memmove(unwrapped_key,
|
|
||||||
+ unwrapped_key + sizeof(struct ep11kblob_header),
|
|
||||||
+ *unwrapped_key_len);
|
|
||||||
+ ep11key = (struct ep11keytoken *)unwrapped_key;
|
|
||||||
+ memset(&ep11key->session, 0, sizeof(ep11key->session));
|
|
||||||
+ ep11key->head.type = TOKEN_TYPE_NON_CCA;
|
|
||||||
+ ep11key->head.len = key_blob_len -
|
|
||||||
+ sizeof(struct ep11kblob_header);
|
|
||||||
+ ep11key->head.version = TOKEN_VERSION_EP11_AES;
|
|
||||||
+ ep11key->head.bitlen = bit_len;
|
|
||||||
+ } else if (rc != 0) {
|
|
||||||
+ _set_error(ph, "Failed to validate unwrapped key");
|
|
||||||
+ return rc;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--- a/zkey/kms.c
|
|
||||||
+++ b/zkey/kms.c
|
|
||||||
@@ -2175,7 +2175,7 @@ int generate_kms_key(struct kms_info *km
|
|
||||||
else if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
|
|
||||||
key_size = AESCIPHER_KEY_SIZE;
|
|
||||||
else if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
|
|
||||||
- key_size = EP11_KEY_SIZE;
|
|
||||||
+ key_size = EP11_AES_KEY_SIZE;
|
|
||||||
else
|
|
||||||
return -ENOTSUP;
|
|
||||||
|
|
||||||
@@ -2248,6 +2248,9 @@ int generate_kms_key(struct kms_info *km
|
|
||||||
if (verbose)
|
|
||||||
util_hexdump_grp(stderr, NULL, key_blob, 4, key_blob_size, 0);
|
|
||||||
|
|
||||||
+ if (is_ep11_aes_key(key_blob, key_blob_size))
|
|
||||||
+ key_size = EP11_KEY_SIZE;
|
|
||||||
+
|
|
||||||
/* Save ID and label of 1st key */
|
|
||||||
rc = properties_set(key_props, xts ? PROP_NAME_KMS_XTS_KEY1_ID :
|
|
||||||
PROP_NAME_KMS_KEY_ID, key1_id);
|
|
||||||
@@ -3132,6 +3135,8 @@ int import_kms_key(struct kms_info *kms_
|
|
||||||
key_size = AESCIPHER_KEY_SIZE;
|
|
||||||
else if (is_ep11_aes_key(key_blob, key_blob_size))
|
|
||||||
key_size = EP11_KEY_SIZE;
|
|
||||||
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
|
|
||||||
+ key_size = EP11_AES_KEY_SIZE;
|
|
||||||
|
|
||||||
if (key_size == 0 || key_blob_size > key_size) {
|
|
||||||
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
|
|
||||||
@@ -3366,6 +3371,8 @@ int refresh_kms_key(struct kms_info *kms
|
|
||||||
key_size = AESCIPHER_KEY_SIZE;
|
|
||||||
else if (is_ep11_aes_key(key_blob, key_blob_size))
|
|
||||||
key_size = EP11_KEY_SIZE;
|
|
||||||
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
|
|
||||||
+ key_size = EP11_AES_KEY_SIZE;
|
|
||||||
|
|
||||||
if (key_size == 0 || key_blob_size > key_size) {
|
|
||||||
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
|
|
||||||
--- a/zkey/pkey.c
|
|
||||||
+++ b/zkey/pkey.c
|
|
||||||
@@ -858,7 +858,7 @@ static enum pkey_key_type key_type_to_pk
|
|
||||||
if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
|
|
||||||
return PKEY_TYPE_CCA_CIPHER;
|
|
||||||
if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
|
|
||||||
- return PKEY_TYPE_EP11;
|
|
||||||
+ return PKEY_TYPE_EP11_AES;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -879,6 +879,8 @@ static size_t key_size_for_type(enum pke
|
|
||||||
return AESCIPHER_KEY_SIZE;
|
|
||||||
case PKEY_TYPE_EP11:
|
|
||||||
return EP11_KEY_SIZE;
|
|
||||||
+ case PKEY_TYPE_EP11_AES:
|
|
||||||
+ return EP11_AES_KEY_SIZE;
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -924,6 +926,7 @@ int generate_secure_key_random(int pkey_
|
|
||||||
return -ENOTSUP;
|
|
||||||
}
|
|
||||||
|
|
||||||
+retry:
|
|
||||||
genseck2.size = keybits_to_keysize(keybits);
|
|
||||||
if (genseck2.size == 0) {
|
|
||||||
warnx("Invalid value for '--keybits'/'-c': '%lu'", keybits);
|
|
||||||
@@ -957,10 +960,33 @@ int generate_secure_key_random(int pkey_
|
|
||||||
genseck2.keylen = size;
|
|
||||||
|
|
||||||
rc = pkey_genseck2(pkey_fd, &genseck2, verbose);
|
|
||||||
+ if (rc == -EINVAL && genseck2.type == PKEY_TYPE_EP11_AES) {
|
|
||||||
+ /*
|
|
||||||
+ * Older kernels may not support gensek2 with key type
|
|
||||||
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
|
|
||||||
+ */
|
|
||||||
+ pr_verbose(verbose,
|
|
||||||
+ "ioctl PKEY_GENSECK2 does not support "
|
|
||||||
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
|
|
||||||
+
|
|
||||||
+ genseck2.type = PKEY_TYPE_EP11;
|
|
||||||
+ free(genseck2.apqns);
|
|
||||||
+ genseck2.apqns = NULL;
|
|
||||||
+ genseck2.apqn_entries = 0;
|
|
||||||
+ free(secure_key);
|
|
||||||
+ goto retry;
|
|
||||||
+ }
|
|
||||||
if (rc != 0) {
|
|
||||||
warnx("Failed to generate a secure key: %s", strerror(-rc));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ if (rc == 0 && genseck2.type == PKEY_TYPE_EP11) {
|
|
||||||
+ if (is_ep11_key_session_bound(secure_key, size)) {
|
|
||||||
+ warnx("The generated key is session bound. Kernel "
|
|
||||||
+ "support is required for such keys");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (xts) {
|
|
||||||
free(genseck2.apqns);
|
|
||||||
@@ -1062,6 +1088,7 @@ int generate_secure_key_clear(int pkey_f
|
|
||||||
return -ENOTSUP;
|
|
||||||
}
|
|
||||||
|
|
||||||
+retry:
|
|
||||||
clr2seck2.size = keybits_to_keysize(HALF_KEYSIZE_FOR_XTS(
|
|
||||||
clear_key_size * 8, xts));
|
|
||||||
if (clr2seck2.size == 0) {
|
|
||||||
@@ -1096,10 +1123,33 @@ int generate_secure_key_clear(int pkey_f
|
|
||||||
clr2seck2.keylen = size;
|
|
||||||
|
|
||||||
rc = pkey_clr2seck2(pkey_fd, &clr2seck2, verbose);
|
|
||||||
+ if (rc == -EINVAL && clr2seck2.type == PKEY_TYPE_EP11_AES) {
|
|
||||||
+ /*
|
|
||||||
+ * Older kernels may not support clr2seck2 with key type
|
|
||||||
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
|
|
||||||
+ */
|
|
||||||
+ pr_verbose(verbose,
|
|
||||||
+ "ioctl PKEY_CLR2SECK2 does not support "
|
|
||||||
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
|
|
||||||
+
|
|
||||||
+ clr2seck2.type = PKEY_TYPE_EP11;
|
|
||||||
+ free(clr2seck2.apqns);
|
|
||||||
+ clr2seck2.apqns = NULL;
|
|
||||||
+ clr2seck2.apqn_entries = 0;
|
|
||||||
+ free(secure_key);
|
|
||||||
+ goto retry;
|
|
||||||
+ }
|
|
||||||
if (rc != 0) {
|
|
||||||
warnx("Failed to generate a secure key: %s", strerror(-rc));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ if (rc == 0 && clr2seck2.type == PKEY_TYPE_EP11) {
|
|
||||||
+ if (is_ep11_key_session_bound(secure_key, size)) {
|
|
||||||
+ warnx("The generated key is session bound. Kernel "
|
|
||||||
+ "support is required for such keys");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (xts) {
|
|
||||||
free(clr2seck2.apqns);
|
|
||||||
@@ -1486,6 +1536,8 @@ int get_master_key_verification_pattern(
|
|
||||||
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
|
|
||||||
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
|
|
||||||
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
|
|
||||||
+ struct ep11keytoken *ep11key2 =
|
|
||||||
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
|
|
||||||
|
|
||||||
util_assert(key != NULL, "Internal error: secure_key is NULL");
|
|
||||||
util_assert(mkvp != NULL, "Internal error: mkvp is NULL");
|
|
||||||
@@ -1497,6 +1549,8 @@ int get_master_key_verification_pattern(
|
|
||||||
memcpy(mkvp, &cipherkey->kvp, sizeof(cipherkey->kvp));
|
|
||||||
else if (is_ep11_aes_key(key, key_size))
|
|
||||||
memcpy(mkvp, &ep11key->wkvp, sizeof(ep11key->wkvp));
|
|
||||||
+ else if (is_ep11_aes_key_with_header(key, key_size))
|
|
||||||
+ memcpy(mkvp, &ep11key2->wkvp, sizeof(ep11key2->wkvp));
|
|
||||||
else
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
@@ -1593,9 +1647,11 @@ bool is_ep11_aes_key(const u8 *key, size
|
|
||||||
|
|
||||||
if (ep11key->head.type != TOKEN_TYPE_NON_CCA)
|
|
||||||
return false;
|
|
||||||
+ if (ep11key->head.hver != 0)
|
|
||||||
+ return false;
|
|
||||||
if (ep11key->head.version != TOKEN_VERSION_EP11_AES)
|
|
||||||
return false;
|
|
||||||
- if (ep11key->head.length > key_size)
|
|
||||||
+ if (ep11key->head.len > key_size)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
if (ep11key->version != 0x1234)
|
|
||||||
@@ -1605,6 +1661,65 @@ bool is_ep11_aes_key(const u8 *key, size
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * Check if the specified key is a EP11 AES key token with external header.
|
|
||||||
+ *
|
|
||||||
+ * @param[in] key the secure key token
|
|
||||||
+ * @param[in] key_size the size of the secure key
|
|
||||||
+ *
|
|
||||||
+ * @returns true if the key is an EP11 AES token with external header type
|
|
||||||
+ */
|
|
||||||
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size)
|
|
||||||
+{
|
|
||||||
+ struct ep11kblob_header *header = (struct ep11kblob_header *)key;
|
|
||||||
+ struct ep11keytoken *ep11key =
|
|
||||||
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
|
|
||||||
+
|
|
||||||
+ if (key == NULL || key_size < EP11_AES_KEY_SIZE)
|
|
||||||
+ return false;
|
|
||||||
+
|
|
||||||
+ if (header->type != TOKEN_TYPE_NON_CCA)
|
|
||||||
+ return false;
|
|
||||||
+ if (header->hver != 0)
|
|
||||||
+ return false;
|
|
||||||
+ if (header->version != TOKEN_VERSION_EP11_AES_WITH_HEADER)
|
|
||||||
+ return false;
|
|
||||||
+ if (header->len > key_size)
|
|
||||||
+ return false;
|
|
||||||
+
|
|
||||||
+ if (ep11key->version != 0x1234)
|
|
||||||
+ return false;
|
|
||||||
+
|
|
||||||
+ return true;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * Check if the specified EP11 AES key is session bound.
|
|
||||||
+ *
|
|
||||||
+ * @param[in] key the secure key token
|
|
||||||
+ * @param[in] key_size the size of the secure key
|
|
||||||
+ *
|
|
||||||
+ * @returns true if the key is an EP11 AES token type
|
|
||||||
+ */
|
|
||||||
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size)
|
|
||||||
+{
|
|
||||||
+ struct ep11keytoken *ep11key;
|
|
||||||
+
|
|
||||||
+ if (is_ep11_aes_key(key, key_size)) {
|
|
||||||
+ ep11key = (struct ep11keytoken *)key;
|
|
||||||
+ return memcmp(ep11key->session + sizeof(ep11key->head),
|
|
||||||
+ ZERO_SESSION, sizeof(ep11key->session) -
|
|
||||||
+ sizeof(ep11key->head)) != 0;
|
|
||||||
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
|
|
||||||
+ ep11key = (struct ep11keytoken *)
|
|
||||||
+ (key + sizeof(struct ep11kblob_header));
|
|
||||||
+ return memcmp(ep11key->session, ZERO_SESSION,
|
|
||||||
+ sizeof(ep11key->session)) != 0;
|
|
||||||
+ } else {
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
* Check if the specified key is an XTS type key
|
|
||||||
*
|
|
||||||
* @param[in] key the secure key token
|
|
||||||
@@ -1629,6 +1744,11 @@ bool is_xts_key(const u8 *key, size_t ke
|
|
||||||
is_ep11_aes_key(key + EP11_KEY_SIZE,
|
|
||||||
key_size - EP11_KEY_SIZE))
|
|
||||||
return true;
|
|
||||||
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
|
|
||||||
+ if (key_size == 2 * EP11_AES_KEY_SIZE &&
|
|
||||||
+ is_ep11_aes_key_with_header(key + EP11_AES_KEY_SIZE,
|
|
||||||
+ key_size - EP11_AES_KEY_SIZE))
|
|
||||||
+ return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
@@ -1650,6 +1770,7 @@ int get_key_bit_size(const u8 *key, size
|
|
||||||
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
|
|
||||||
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
|
|
||||||
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
|
|
||||||
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)key;
|
|
||||||
|
|
||||||
util_assert(bitsize != NULL, "Internal error: bitsize is NULL");
|
|
||||||
|
|
||||||
@@ -1672,10 +1793,17 @@ int get_key_bit_size(const u8 *key, size
|
|
||||||
*bitsize += cipherkey->pl - 384;
|
|
||||||
}
|
|
||||||
} else if (is_ep11_aes_key(key, key_size)) {
|
|
||||||
- *bitsize = ep11key->head.keybitlen;
|
|
||||||
+ *bitsize = ep11key->head.bitlen;
|
|
||||||
if (key_size == 2 * EP11_KEY_SIZE) {
|
|
||||||
ep11key = (struct ep11keytoken *)(key + EP11_KEY_SIZE);
|
|
||||||
- *bitsize += ep11key->head.keybitlen;
|
|
||||||
+ *bitsize += ep11key->head.bitlen;
|
|
||||||
+ }
|
|
||||||
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
|
|
||||||
+ *bitsize = hdr->bitlen;
|
|
||||||
+ if (key_size == 2 * EP11_AES_KEY_SIZE) {
|
|
||||||
+ hdr = (struct ep11kblob_header *)
|
|
||||||
+ (key + EP11_AES_KEY_SIZE);
|
|
||||||
+ *bitsize += hdr->bitlen;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return -EINVAL;
|
|
||||||
@@ -1700,6 +1828,8 @@ const char *get_key_type(const u8 *key,
|
|
||||||
return KEY_TYPE_CCA_AESCIPHER;
|
|
||||||
if (is_ep11_aes_key(key, key_size))
|
|
||||||
return KEY_TYPE_EP11_AES;
|
|
||||||
+ if (is_ep11_aes_key_with_header(key, key_size))
|
|
||||||
+ return KEY_TYPE_EP11_AES;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2016,7 +2146,8 @@ int reencipher_secure_key(struct ext_lib
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (is_ep11_aes_key(secure_key, secure_key_size)) {
|
|
||||||
+ if (is_ep11_aes_key(secure_key, secure_key_size) ||
|
|
||||||
+ is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
|
|
||||||
/* EP11 secure key: need the EP11 host library */
|
|
||||||
if (lib->ep11->lib_ep11 == NULL) {
|
|
||||||
rc = load_ep11_library(lib->ep11, verbose);
|
|
||||||
--- a/zkey/pkey.h
|
|
||||||
+++ b/zkey/pkey.h
|
|
||||||
@@ -39,6 +39,8 @@ struct tokenheader {
|
|
||||||
#define TOKEN_VERSION_PROTECTED_KEY 0x01
|
|
||||||
#define TOKEN_VERSION_CLEAR_KEY 0x02
|
|
||||||
#define TOKEN_VERSION_EP11_AES 0x03
|
|
||||||
+#define TOKEN_VERSION_EP11_AES_WITH_HEADER 0x06
|
|
||||||
+#define TOKEN_VERSION_EP11_ECC_WITH_HEADER 0x07
|
|
||||||
|
|
||||||
struct aesdatakeytoken {
|
|
||||||
u8 type; /* TOKEN_TYPE_INTERNAL (0x01) for internal key token */
|
|
||||||
@@ -89,17 +91,20 @@ struct aescipherkeytoken {
|
|
||||||
u8 varpart[80]; /* variable part */
|
|
||||||
} __packed;
|
|
||||||
|
|
||||||
+struct ep11kblob_header {
|
|
||||||
+ u8 type; /* always 0x00 */
|
|
||||||
+ u8 hver; /* header version, currently needs to be 0x00 */
|
|
||||||
+ u16 len; /* total length in bytes (including this header) */
|
|
||||||
+ u8 version; /* PKEY_TYPE_EP11_AES or PKEY_TYPE_EP11_ECC */
|
|
||||||
+ u8 res0; /* unused */
|
|
||||||
+ u16 bitlen; /* clear key bit len, 0 for unknown */
|
|
||||||
+ u8 res1[8]; /* unused */
|
|
||||||
+} __packed;
|
|
||||||
+
|
|
||||||
struct ep11keytoken {
|
|
||||||
union {
|
|
||||||
u8 session[32];
|
|
||||||
- struct {
|
|
||||||
- u8 type; /* TOKEN_TYPE_NON_CCA (0x00) */
|
|
||||||
- u8 res0; /* unused */
|
|
||||||
- u16 length; /* length of token */
|
|
||||||
- u8 version; /* TOKEN_VERSION_EP11_AES (0x03) */
|
|
||||||
- u8 res1; /* unused */
|
|
||||||
- u16 keybitlen; /* clear key bit len, 0 for unknown */
|
|
||||||
- } head;
|
|
||||||
+ struct ep11kblob_header head;
|
|
||||||
};
|
|
||||||
u8 wkvp[16]; /* wrapping key verification pattern */
|
|
||||||
u64 attr; /* boolean key attributes */
|
|
||||||
@@ -111,18 +116,29 @@ struct ep11keytoken {
|
|
||||||
u8 padding[64];
|
|
||||||
} __packed;
|
|
||||||
|
|
||||||
+#define ZERO_SESSION \
|
|
||||||
+ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
|
|
||||||
+
|
|
||||||
#define AESDATA_KEY_SIZE sizeof(struct aesdatakeytoken)
|
|
||||||
#define AESCIPHER_KEY_SIZE sizeof(struct aescipherkeytoken)
|
|
||||||
#define EP11_KEY_SIZE sizeof(struct ep11keytoken)
|
|
||||||
+#define EP11_AES_KEY_SIZE (sizeof(struct ep11kblob_header) + \
|
|
||||||
+ sizeof(struct ep11keytoken))
|
|
||||||
|
|
||||||
/* MAX/MIN from zt_common.h produces warnings for variable length arrays */
|
|
||||||
#define _MIN(a, b) ((a) < (b) ? (a) : (b))
|
|
||||||
#define _MAX(a, b) ((a) > (b) ? (a) : (b))
|
|
||||||
|
|
||||||
-#define MAX_SECURE_KEY_SIZE _MAX(EP11_KEY_SIZE, \
|
|
||||||
- _MAX(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
|
|
||||||
-#define MIN_SECURE_KEY_SIZE _MIN(EP11_KEY_SIZE, \
|
|
||||||
- _MIN(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
|
|
||||||
+#define MAX_SECURE_KEY_SIZE _MAX( \
|
|
||||||
+ _MAX(EP11_KEY_SIZE, \
|
|
||||||
+ EP11_AES_KEY_SIZE), \
|
|
||||||
+ _MAX(AESDATA_KEY_SIZE, \
|
|
||||||
+ AESCIPHER_KEY_SIZE))
|
|
||||||
+#define MIN_SECURE_KEY_SIZE _MIN( \
|
|
||||||
+ _MIN(EP11_KEY_SIZE, \
|
|
||||||
+ EP11_AES_KEY_SIZE), \
|
|
||||||
+ _MIN(AESDATA_KEY_SIZE, \
|
|
||||||
+ AESCIPHER_KEY_SIZE))
|
|
||||||
|
|
||||||
struct pkey_seckey {
|
|
||||||
u8 seckey[AESDATA_KEY_SIZE]; /* the secure key blob */
|
|
||||||
@@ -175,6 +191,9 @@ enum pkey_key_type {
|
|
||||||
PKEY_TYPE_CCA_DATA = (u32) 1,
|
|
||||||
PKEY_TYPE_CCA_CIPHER = (u32) 2,
|
|
||||||
PKEY_TYPE_EP11 = (u32) 3,
|
|
||||||
+ PKEY_TYPE_CCA_ECC = (u32) 0x1f,
|
|
||||||
+ PKEY_TYPE_EP11_AES = (u32) 6,
|
|
||||||
+ PKEY_TYPE_EP11_ECC = (u32) 7,
|
|
||||||
};
|
|
||||||
|
|
||||||
enum pkey_key_size {
|
|
||||||
@@ -321,6 +340,8 @@ int get_master_key_verification_pattern(
|
|
||||||
bool is_cca_aes_data_key(const u8 *key, size_t key_size);
|
|
||||||
bool is_cca_aes_cipher_key(const u8 *key, size_t key_size);
|
|
||||||
bool is_ep11_aes_key(const u8 *key, size_t key_size);
|
|
||||||
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size);
|
|
||||||
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size);
|
|
||||||
bool is_xts_key(const u8 *key, size_t key_size);
|
|
||||||
int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize);
|
|
||||||
const char *get_key_type(const u8 *key, size_t key_size);
|
|
||||||
--- a/zkey/zkey-cryptsetup.c
|
|
||||||
+++ b/zkey/zkey-cryptsetup.c
|
|
||||||
@@ -1673,7 +1673,10 @@ static int reencipher_prepare(int token)
|
|
||||||
warnx("Failed to re-encipher the secure volume "
|
|
||||||
"key for device '%s'\n", g.pos_arg);
|
|
||||||
if (!selected &&
|
|
||||||
- !is_ep11_aes_key((u8 *)key, securekeysize))
|
|
||||||
+ !is_ep11_aes_key((u8 *)key,
|
|
||||||
+ securekeysize) &&
|
|
||||||
+ !is_ep11_aes_key_with_header((u8 *)key,
|
|
||||||
+ securekeysize))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES volume key");
|
|
||||||
rc = -EINVAL;
|
|
||||||
@@ -1696,7 +1699,10 @@ static int reencipher_prepare(int token)
|
|
||||||
warnx("Failed to re-encipher the secure volume "
|
|
||||||
"key for device '%s'\n", g.pos_arg);
|
|
||||||
if (!selected &&
|
|
||||||
- !is_ep11_aes_key((u8 *)key, securekeysize))
|
|
||||||
+ !is_ep11_aes_key((u8 *)key,
|
|
||||||
+ securekeysize) &&
|
|
||||||
+ !is_ep11_aes_key_with_header((u8 *)key,
|
|
||||||
+ securekeysize))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES volume key");
|
|
||||||
rc = -EINVAL;
|
|
||||||
@@ -1836,7 +1842,10 @@ static int reencipher_complete(int token
|
|
||||||
warnx("Failed to re-encipher the secure volume "
|
|
||||||
"key for device '%s'\n", g.pos_arg);
|
|
||||||
if (!selected &&
|
|
||||||
- !is_ep11_aes_key((u8 *)key, securekeysize))
|
|
||||||
+ !is_ep11_aes_key((u8 *)key,
|
|
||||||
+ securekeysize) &&
|
|
||||||
+ !is_ep11_aes_key_with_header((u8 *)key,
|
|
||||||
+ securekeysize))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES volume key");
|
|
||||||
rc = -EINVAL;
|
|
||||||
--- a/zkey/zkey.c
|
|
||||||
+++ b/zkey/zkey.c
|
|
||||||
@@ -1968,7 +1968,9 @@ static int command_reencipher_file(void)
|
|
||||||
"master key has failed\n");
|
|
||||||
if (!selected &&
|
|
||||||
!is_ep11_aes_key(secure_key,
|
|
||||||
- secure_key_size))
|
|
||||||
+ secure_key_size) &&
|
|
||||||
+ !is_ep11_aes_key_with_header(secure_key,
|
|
||||||
+ secure_key_size))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES key");
|
|
||||||
}
|
|
||||||
@@ -1993,7 +1995,9 @@ static int command_reencipher_file(void)
|
|
||||||
"master key has failed\n");
|
|
||||||
if (!selected &&
|
|
||||||
!is_ep11_aes_key(secure_key,
|
|
||||||
- secure_key_size))
|
|
||||||
+ secure_key_size) &&
|
|
||||||
+ !is_ep11_aes_key_with_header(secure_key,
|
|
||||||
+ secure_key_size))
|
|
||||||
print_msg_for_cca_envvars(
|
|
||||||
"secure AES key");
|
|
||||||
}
|
|
@ -1,5 +1,55 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Nov 15 07:55:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
Sun Dec 17 05:48:56 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Updated the .spec file to use gcc13 (bsc#1217838)
|
||||||
|
- Amended read_values for '-S' option (bsc#1217923)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 4 13:34:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Upgrade s390-tools to version 2.30
|
||||||
|
(jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604,
|
||||||
|
jsc#PED-6649, jsc#PED-7138 )
|
||||||
|
- Add new tools / libraries:
|
||||||
|
* lspai: Tool to display PAI counter sets
|
||||||
|
* s390-tools: Provide a ShellCheck configuration
|
||||||
|
- Changes of existing tools / libraries:
|
||||||
|
* cpumf/pai: Add command line option for realtime scheduling
|
||||||
|
* dbginfo.sh: enhance ethtool collection for ROCE
|
||||||
|
* libutil/util_lockfile: add routine to return owning pid of file lock
|
||||||
|
* lszcrypt: Improve lszcrypt output on SE guests
|
||||||
|
* rust: Use a single workspace for all rust tools
|
||||||
|
* zdev: limit the derivation of ZDEV_SITE_ID
|
||||||
|
* zdump/df_s390: Update 'zgetdump -i' output with zlib info
|
||||||
|
* zdump/dfi_s390: Support reading compressed s390_ext dumps
|
||||||
|
* zipl/boot: Integrate zlib compression to single volume DASD dumper
|
||||||
|
* zipl/boot: compile the bootloaders only if HOST_ARCH is s390x
|
||||||
|
* zipl: Add --no-compress option to zipl command
|
||||||
|
* zkey: Also check for deconfigured and check-stopped cards
|
||||||
|
- Bug Fixes:
|
||||||
|
* ap_tools/ap-check: handle get-attributes between pre and post event
|
||||||
|
* libutil: fix util_file_read_*() using wrong format specifiers
|
||||||
|
* rust/pv: fix Invalid write of size
|
||||||
|
- Amended the SUSE patches for version 2.30
|
||||||
|
- Revendored vendor.tar.gz
|
||||||
|
- Removed an obsolete patch
|
||||||
|
* s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 24 07:51:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Provide s390-tools on x86_64 to enable Secure Execution in the Cloud
|
||||||
|
(jsc#PED-578, jsc#PED-7136, and jsc#PED-7138)
|
||||||
|
* Selected tools from the s390-tools package need to be made available on x86_64.
|
||||||
|
This will enable the integration of IBM Z machines running Secure Execution in a
|
||||||
|
cloud environment where users don't necessarily need to have an s390x environment.
|
||||||
|
- genprotimg - (for building secure images)
|
||||||
|
- pvsecret -
|
||||||
|
- pvattest - (for external attestation)
|
||||||
|
- pvextract-hdr -
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 15 07:31:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
- Fixed a logic error in read_values.c
|
- Fixed a logic error in read_values.c
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: s390-tools
|
Name: s390-tools
|
||||||
Version: 2.29.0
|
Version: 2.30.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: S/390 tools like zipl and dasdfmt
|
Summary: S/390 tools like zipl and dasdfmt
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -152,17 +152,16 @@ Patch909: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl
|
|||||||
Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
|
Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
|
||||||
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
|
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
|
||||||
Patch912: s390-tools-ALP-zdev-live.patch
|
Patch912: s390-tools-ALP-zdev-live.patch
|
||||||
Patch913: s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
|
|
||||||
###
|
###
|
||||||
|
|
||||||
BuildRequires: curl-devel
|
BuildRequires: curl-devel
|
||||||
BuildRequires: dracut
|
BuildRequires: dracut
|
||||||
BuildRequires: fuse3-devel
|
BuildRequires: fuse3-devel
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc13
|
||||||
|
BuildRequires: gcc13-c++
|
||||||
BuildRequires: gettext-tools
|
BuildRequires: gettext-tools
|
||||||
BuildRequires: glib2-devel
|
BuildRequires: glib2-devel
|
||||||
BuildRequires: glibc-devel-static
|
BuildRequires: glibc-devel-static
|
||||||
BuildRequires: kernel-zfcpdump
|
|
||||||
BuildRequires: libcryptsetup-devel > 2.0.3
|
BuildRequires: libcryptsetup-devel > 2.0.3
|
||||||
BuildRequires: libjson-c-devel
|
BuildRequires: libjson-c-devel
|
||||||
BuildRequires: libxml2-devel
|
BuildRequires: libxml2-devel
|
||||||
@ -171,10 +170,14 @@ BuildRequires: ncurses-devel
|
|||||||
BuildRequires: net-snmp-devel
|
BuildRequires: net-snmp-devel
|
||||||
BuildRequires: openssl-devel >= 1.1.1l
|
BuildRequires: openssl-devel >= 1.1.1l
|
||||||
BuildRequires: pesign-obs-integration
|
BuildRequires: pesign-obs-integration
|
||||||
BuildRequires: qclib-devel-static
|
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
BuildRequires: zlib-devel-static
|
BuildRequires: zlib-devel-static
|
||||||
|
### x86_64
|
||||||
|
%ifarch s390x
|
||||||
|
BuildRequires: kernel-zfcpdump
|
||||||
|
BuildRequires: qclib-devel-static
|
||||||
|
%endif
|
||||||
### Cargo
|
### Cargo
|
||||||
BuildRequires: rust
|
BuildRequires: rust
|
||||||
BuildRequires: cargo
|
BuildRequires: cargo
|
||||||
@ -195,7 +198,7 @@ Requires(post): permissions
|
|||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
Recommends: blktrace
|
Recommends: blktrace
|
||||||
Provides: s390utils:/sbin/dasdfmt
|
Provides: s390utils:/sbin/dasdfmt
|
||||||
ExclusiveArch: s390x
|
### ExclusiveArch: s390x x86_64
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the tools needed to use Linux on IBM z Systems
|
This package contains the tools needed to use Linux on IBM z Systems
|
||||||
@ -315,15 +318,16 @@ unavailable, the toolset checks for operational paths to the same
|
|||||||
volume. If available, it reconfigures the FCP re-IPL settings to use an
|
volume. If available, it reconfigures the FCP re-IPL settings to use an
|
||||||
operational path.
|
operational path.
|
||||||
|
|
||||||
|
### *** s390x ************************************************************************* ###
|
||||||
|
%ifarch s390x
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
cp -vi %{SOURCE22} CAUTION
|
cp -vi %{SOURCE22} CAUTION
|
||||||
|
|
||||||
###
|
|
||||||
install -D -m 0644 %{SOURCE200} .cargo/config
|
install -D -m 0644 %{SOURCE200} .cargo/config
|
||||||
tar -xzvf %{SOURCE201}
|
tar -xzf %{SOURCE201}
|
||||||
###
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
@ -333,13 +337,17 @@ tar -xzvf %{SOURCE201}
|
|||||||
|
|
||||||
export OPT_FLAGS="%{optflags}"
|
export OPT_FLAGS="%{optflags}"
|
||||||
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
|
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
|
||||||
%make_build \
|
|
||||||
|
%make_build -v \
|
||||||
ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \
|
ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \
|
||||||
DISTRELEASE=%{release} \
|
DISTRELEASE=%{release} \
|
||||||
UDEVRUNDIR=/run/udev \
|
UDEVRUNDIR=/run/udev \
|
||||||
HAVE_CARGO=1 \
|
HAVE_CARGO=1 \
|
||||||
HAVE_DRACUT=1
|
HAVE_DRACUT=1 \
|
||||||
gcc -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
|
CC=gcc-13 \
|
||||||
|
CXX=g++-13
|
||||||
|
### all
|
||||||
|
gcc-13 -v -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir -p %{buildroot}/boot/zipl
|
mkdir -p %{buildroot}/boot/zipl
|
||||||
@ -350,7 +358,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/zkey/repository
|
|||||||
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
||||||
UDEVRUNDIR=/run/udev \
|
UDEVRUNDIR=/run/udev \
|
||||||
HAVE_CARGO=1 \
|
HAVE_CARGO=1 \
|
||||||
HAVE_DRACUT=1
|
HAVE_DRACUT=1 \
|
||||||
|
CC=gcc-13 \
|
||||||
|
CXX=g++-13
|
||||||
|
### all
|
||||||
|
|
||||||
# The make install command puts things in /etc/sysconfig and not the
|
# The make install command puts things in /etc/sysconfig and not the
|
||||||
# fillup-templates directory. Let's try moving them where they belong
|
# fillup-templates directory. Let's try moving them where they belong
|
||||||
@ -735,4 +746,44 @@ done
|
|||||||
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
|
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
|
||||||
%{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
|
%{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
|
||||||
|
|
||||||
|
### _endif
|
||||||
|
### *** !s390x ************************************************************************* ###
|
||||||
|
### _ifarch x86_64
|
||||||
|
%else
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
install -D -m 0644 %{SOURCE200} .cargo/config
|
||||||
|
tar -xzf %{SOURCE201}
|
||||||
|
|
||||||
|
%build
|
||||||
|
export OPT_FLAGS="%{optflags}"
|
||||||
|
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
|
||||||
|
%make_build \
|
||||||
|
DISTRELEASE=%{release} \
|
||||||
|
UDEVRUNDIR=/run/udev \
|
||||||
|
HAVE_CARGO=1 \
|
||||||
|
HAVE_DRACUT=1
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install \
|
||||||
|
DISTRELEASE=%{release} \
|
||||||
|
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
||||||
|
UDEVRUNDIR=/run/udev \
|
||||||
|
HAVE_CARGO=1 \
|
||||||
|
HAVE_DRACUT=1
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_prefix}/bin/*
|
||||||
|
%{_prefix}/share/s390-tools/*
|
||||||
|
%dir /usr/share/s390-tools
|
||||||
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
|
%files debuginfo
|
||||||
|
%dir %{_prefix}/lib/debug
|
||||||
|
%dir %{_prefix}/lib/debug/usr/bin
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
BIN
vendor.tar.gz
(Stored with Git LFS)
BIN
vendor.tar.gz
(Stored with Git LFS)
Binary file not shown.
Loading…
Reference in New Issue
Block a user